Read my Lips

Posted on Thursday 13 June 2013 byUlster Business

We've all seen the sci-fi movies where the security of the future is based on iris recognition, voice verification and facial scans.

While those biometric technologies once seemed like a distant dream, the consumerisation of technology and proliferation of smart devices means that science fact is quickly catching up with science fiction.

And one new company about to spin-out from QUB's Centre for Secure Information Technologies - the UK's largest cyber security academic research lab - is hoping to revolutionise the way we view password access.

Liopa (gaelic for lip) is a mobile biometric authentication and speaker verification application, service and application programming interface (API).

In layman's terms that means it asks users to vocalise a random sequence of letters, digits or words into a mobile camera which then records and processes the video, offloads it to a server and verifies the person's identity against a database of enrolled individuals.

The identity of that person is verified using a biometric characteristic known as visemes – the way your lips form words.

After a decade developing and commercialising research into what's officially known as pose invariant lip biometric authentication and speaker verification, Dr. Darryl Stewart, Dr. Michael Loughlin and Dr Fabian Campbell-West - the team behind Liopa - say the technology has reached a point where it can create a viable business.

David Crozier, CSIT's Technical Marketing Manager and the fourth member of the Liopa team explains: "We're getting to a point now where every smartphone and tablet comes with a forward facing camera which allows us to use our technology to carry out speaker authentication. Our research has been waiting for this technology to be available.

"It also happens that over the last couple of years password security has also come under increasing pressure. A lot of online systems are being hacked and cracked. Wired magazine, the bible for technology engineers, said in January that the age of the password is over, we just haven't realised it yet," he added.

"A lot of financial transactions are moving to mobile. By 2018 it is estimated mobile transactions will be worth $18trillion a year. As money moves mobile, theft and crime will follow."

One of the key problems with passwords is that, through policy or necessity, industry has come up with password rules that are hard to remember for people but easy to crack by machines.

Because of the password security risks many countries are now mandating that online service providers use multi-factor authentication – whether that's a physical device like a secure token or an additional process like the Verified by Visa password needed for some online purchases.

However, online retailers report an up to 50% drop out rate of people who've abandoned online transactions because they have forgotten their Verified by Visa password, and physical devices like secure tokens run the risk of being lost. Liopa could be incorporated into existing solutions to remove these hurdles.

"Using the Verified by Visa example, rather than typing in a password, the application will present you with a Liopa interface and a random sequence of numbers or letters which you speak into the phone. It will verify it is you and approve the payment," he explains.

Crozier says viseme analysis has been proven to be more accurate than face biometrics and voice biometrics, and a better indication of the "liveness" of the person as it can't be fooled by a static image or audio playback.

"As you age, as your appearance changes, the system evolves. It improves with the number of enrolled users. It will be more accurate with a million users than 10,000 because the more biometric data we have the stronger the algorithms will be and the fewer false positives we'll have."

At present, Liopa's algorithm is around 87% accurate but the intention is to get that up to 98% over the next couple of years. Financial institutions would like to see it get to 95% before they look at the system seriously, says Crozier. To gain traction the system will first be marketed for non-financial transactions and non-commercial websites, for example as an alternative to reCaptches, the blurred numbers you have to type in to comment on a blog or news story.

ReCaptcha from Cylab at Carnegie Mellon University was acquired by Google in 2009 for an estimated $25m – an indication of the size of the potential market for Liopa.

According to a recent MarketsandMarkets report the global multi-factor authentication (MFA) total addressable market which includes different types of authentication is expected to reach $5.45bn by 2017.

Gartner predicts between 2013 and 2016 premium smartphone production growing from 601m units to 965m, media tablet production growing from 113m to 232m and premium tablet production growing from 94m units to 158m. Each device could have multiple apps using Liopa.

"We do think there is a multi-million pound opportunity here for this company. If it reduces the amount of lost sales for ecommerce retailers it creates a saving for them. If it replaces a hardware token, that will enable us to make money. As a liveness indicator it is better than what has come before," says Crozier.

Liopa's development is currently focused on the Android platform, which IDC has predicted will continue to be the dominant smartphone mobile operating system until at least 2016.

It is currently working on a project for the Technology Strategy Board around preventing and reducing fraud in mobile commerce and will release its mobile application and online service by July. Liopa is already speaking to financial institutions and potential partner companies who might license the technology, as well as investors.

Like any new technology, the company does have competition. Rivals include OpenID, oAuth based services such as Facebook Login and Twitter Sign-in, reCaptcha, 3-D Secure (i.e. Verified by Visa), RSA SmartID, my1login ltd, Biometry.com AG and Mobbeel – some of whom have millions of users already.

Liopa also says Google, Apple, Lenovo, Samsung, Hauwai, HTC and other mobile companies represent competition, but could also be potential customers and purchasers of Liopa IP or even the company as a whole in future.

Selling through a tiered software as a service model the company hopes its software will ultimately appeal to banks, card and online merchant account providers as well as large e-commerce retailers and enterprise IT companies providing solutions to clients for challenges such as employees bringing their own devices to work.

"Liopa will effectively be a package of software libraries that software developers can incorporate into apps, whereby our authentication database can be used to verify who people are, or they can purchase the back end database technology and software and manage their own enrolled database of users themselves," adds David Crozier.

"We'll certainly be one of the first to market using viseme based profiling rather than facial or iris recognition. A lot of these technologies have not been widely used because you had to pay for additional hardware infrastructure, for cameras and doors. Now you don't. Smartphone cameras are 1.3 mega pixels – that's high enough resolution for us."